What is COM Surrogate (dllhost.exe) and Why It Causes High CPU?

COM SURROGATE explained: what is it, and why is it running on your PC

COM SURROGATE (dllhost.exe) is generally recognized as a legitimate Windows process, although it can also be a malware in disguise. The legitimate version is developed by Microsoft and its purpose is to run COM objects aside from original processes that request them. This helps to avoid host process crash in event of a COM object crash. The COM Surrogate process hosts .dll files, therefore its name is dllhost.exe. However, malware developers sometimes tend to leverage the well-recognized process name and use it to name malevolent programs. In this guide, we will explain everything about the safe process version and provide tips how to detect a fake one and remove it.

COM is a short for Component Object Model. It is an interface created in 1993 by Microsoft, allowing programmers to create COM objects easily. These objects integrate into various programs and extend them. Windows Explorer may use the Surrogate process to create thumbnails for documents, images, videos or other file types in a folder. Therefore, in case of a thumbnail creation procedure fail, the crash will happen to COM Surrogate process, but not the whole Windows Explorer.

As suggested by Microsoft’s Raymond Chen, the process can be used in situations where the developer doesn’t feel sure about certain code. The problem can be solved by asking COM to host it in another process to avoid unnecessary crashes.

People often worry about High disk usage caused by this process. However, just like Microsoft Compatibility Telemetry or other processes, it might use a lot of RAM due to certain issues. We suggest running a quick free scan with RESTORO to identify troublesome programs and malware-related issues on the system.

Identify COM SURROGATE virus easily

Since the process name is widely known to be originated from Microsoft, some cybercriminals might attempt to use its name for the malicious processes started on the target system. As a consequence, the victim will see COM Surrogate causing High CPU (100% disk) and possibly dublicates of it in Task Manager. One of the quickest ways to check whether you’re dealing with the real or fake dllhost.exe is to check its file location. You can do it this way:

1. Open Windows Task Manager by pressing CTRL+ALT+DEL and then click Task Manager.
2. Here, press C button repeatedly until you find COM Surrogate (it is a fast way to search by the first letter). Right-click the process and choose Open File Location option. TIP: You may need to check several processes, in case you see more than one COM Surrogate running on your PC).
3. Check if the process-associated file is located in C:/Windows\System32 or C:/winnt/system32. It indicates that you are dealing with the genuine process. If the file is located anywhere else, you might be dealing with a virus.

One way or another, the only way to assure that it is safe or malicious is to boot computer in Safe Mode and run your antivirus software. It will use signature-based or machine-learning detection model to identify whether the COM Surrogate virus is real or not.

Some examples of viruses using this’ process name are Poweliks, Artemis, Nashi.A, Loveleet, and possibly other Trojans/rootkits.

Do not stop or disable the process

You cannot stop or disable COM Surrogate because it is an essential part of the whole Windows operating system. To be precise, it is responsible for smooth operation of COM objects and prevention of Windows Explorer crashes. These processes can be used by variety of programs (you may see several ones in WTM) to complete certain tasks outside the host process.

However, some users might feel the urge to disable the process due to certain problems caused by the process. In the majority of cases, the process will simply restart itself automatically. However, if you suspect that there is a serious or persistent problem with dllhost.exe, you may want to look deeper into it.

Common Problems related to COM SURROGATE process

Although the original DLLHOST.EXE process is safe and legitimate, there are some issues related to it that cause regular headaches for Windows users. Some of the most common issues related to it are:

COM Surrogate High CPU (high memory usage problem)

Many computer users report seeing an increased RAM usage by the said process. COM Surrogate causes high CPU in case of malware attack, corrupted files or outdated codecs. One way or another, you shouldn’t ignore this problem and take actions to fix it immediately.

COM Surrogate has stopped working

The said error typically occurs while browsing media files – videos or pictures stored on a computer. Typical issues causing the error are outdated drivers, false positive antivirus interruption, or disk errors.

COM Surrogate keeps popping up

Users on various Internet forums often discuss yet another persistent annoyance related to DLLHOST.exe. They report that COM Surrogate pop-ups and disappears or minimizes other programs for them. It typically happens every 5 or 10 minutes. There are several known fixes for this error, including disk error checking or updating codecs.

COM Surrogate asking for password

Some users have reported an issue related to Windows Security COM Surrogate asking for password for email. It can happen after manually shutting down the process. The first thing you should try if you’re dealing with this issue is to perform clean boot and see if you’re getting the prompt there. If you do not get the issue while in Safe Mode, it means that the issue is related to some third-party program. Otherwise, the issue might be related to outdated system version, wrong software installation bit-wise or other issue.

Now that you’re know what is COM Surrogate and why it may cause High CPU, you can no longer worry about it. Or you can take actions and check your computer’s security as explained previously.